DOCSLIB.ORG

CSI Computer Crime & Security Survey

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CSI Computer Crime & Security Survey 2008 CSI Computer Crime & Security Survey The latest results from the longest-running project of its kind By Robert Richardson, CSI Director For the 13 th year, CSI has asked its community how they were affected by network and computer crime in the prior year and what steps they’ve taken to secure their organizations. Over 500 security professionals responded. Their answers are inside… 2008 CSI Computer Crime and Security Survey INTRODUCTION For several years, this survey—perhaps the most widely quoted set of statistics in the industry—showed a steady drop in average estimated losses due to cybercrime. It seemed counterintuitive to some experts, accustomed to seeing the worst of the crime that’s out there. Last year the tide turned and respondents reported a significant upswing. Given the changes in the nature and severity of network-borne threats, this seemed only natural. This year the average losses are back down again. And that’s puzzling, honestly. There seems little question that several sweeping changes in the overall state of IT practices—coupled with equally broad changes in the habits of the criminal world—are making significant, hard-hitting attacks easier and more lucrative for their perpetrators. What these results suggest, though, is that on most days at most organizations, the attacks are less imaginative than what’s currently theoretically possible. Which, for the moment, is good news. 1 2008 CSI Computer Crime and Security Survey Key Findings This year’s survey results are based on the responses of 522 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. This is the 13th year of the survey. The most expensive computer security incidents were those involving financial fraud… …with an average reported cost of close to $500,000 (for those who experienced financial fraud). The second-most expensive, on average, was dealing with “bot” computers within the organization’s network, reported to cost an average of nearly $350,000 per respondent. The overall average annual loss reported was just under $300,000. Virus incidents occurred most frequently… …occurring at almost half (49 percent) of the respondents’ organizations. Insider abuse of networks was second-most frequently occurring, at 44 percent, followed by theft of laptops and other mobile devices (42 percent). Almost one in ten organizations reported they’d had a Domain Name System incident… …up 2 percent from last year, and noteworthy, given the current focus on vulnerabilities in DNS. Twenty-seven percent of those responding to a question regarding “targeted attacks”… …said they had detected at least one such attack, where “targeted attack” was defined as a malware attack aimed exclusively at the respondent’s organization or at organizations within a small subset of the general business population. The vast majority of respondents said their organizations either had (68 percent)… …or were developing (18 percent) a formal information security policy. Only 1 percent said they had no security policy. 2 2008 CSI Computer Crime and Security Survey DETAILED SURVEY RESULTS NOTE: The dates on the figures refer to the year of the report (i.e., 2008); the supporting data is based on the preceding year. This is an informal survey. As one might expect, this report looks specifically at what the 522 respondents to this year's questionnaire had to say. In looking at this data, certain inherent constraints on interpretation should be born in mind. First and foremost, this isn’t a random sample of all the people in the country who are ostensibly responsible for the security of their networks. Rather, there is almost certainly a skew created by the fact that this is the CSI community—members of the organization and those who move in its orbit (attending paid conferences and the like) without necessarily being members. It’s a community that is actively working to improve security. This pool, in short, doesn't stand in for the organizations in the United States that are simply not paying attention to security (and there are, unfortunately, all too many such organizations). But an important question that we in the security field must have a ready answer for is this: Do current best practices produce results? In a profession filled with (often quite justified) concerns about what will be different and more insidious about the next round of attacks, we must also take time to consider what the run-of- the-mill, present-day attacks look like and whether we’ve done anything worthwhile to keep the attackers at bay. While much of the news in the information security field isn’t encouraging, there’s arguably some fairly good news with regard to how practitioners who are making a concerted effort are faring against commonplace threats such as computer viruses. And while we’re not surveying the world at large, there’s reason to believe that changes in survey results over time reflect changes in the CSI community. Five thousand surveys are sent out and 522 were received back, meaning there was a 10 percent response rate. That level of response is quite respectable, but the question requiring judgment is that of whether those who chose to reply were markedly different that those who did not. Even if you imagine that those not answering the survey are altogether different in some way from those who do, it’s interesting to note that the demographics of the respondents have remained very stable over the years, as has the basic makeup of the CSI community. 3 2008 CSI Computer Crime and Security Survey We feel confident that similar groups complete the survey year over year. And, indeed, the vast majority of the questions yield virtually the same statistics year over year. The answers that have changed have been primarily the estimates of losses to cybercrime and we've seen them both rise and fall dramatically. One could argue, as some have done, that security professionals simply don’t have a clue how badly they are beaten down and robbed by their hacker adversaries. If that’s the case, then their estimates of financial loss should simply be ignored. Our view is that this can only be the case if we take a needlessly dim view of the intellect of our peers. They almost certainly don’t have an exact and accurate reckoning of losses due to, say, a denial-of-service attack (there’s no standard way for arriving at such a number, so how could they?). But to say that they don’t notice when their business is crippled due to such an attack is fear-mongering. For our part, we think the rough reckoning of seasoned professionals is nevertheless worth attentive consideration. When the group says they lost less money this past year than they lost two or three years ago, we think it means they lost less money. About the Respondents The CSI survey has always been conducted anonymously as a way of enabling respondents to speak freely about potentially serious and costly events that have occurred within their networks over the past year. This anonymity introduces a difficulty in interpreting the data year over year, because of the possibility that entirely different people are responding to the questions each time they are posed. There is, despite that concern, real consistency in the demographics year over year. As figure 1 shows, organizations covered by the survey include many areas from both the private and public sectors. The outer ring shows the current year's statistical breakdown, while the inner rings show the prior years. There is a fair degree of consistency in the breakdown over the past three years, though there have been some shifts due to the addition of new categories (military and law enforcement) last year. 4 2008 CSI Computer Crime and Security Survey The sectors with the largest number of responses came from the financial sector (22 percent), followed by consulting (15 percent), information technology (9 percent), and health services (7 percent). The portion coming from government agencies (combining federal, state, and local levels) was 13 percent (down 4 percent from last year) and educational institutions accounted for 7 percent of the responses. The diversity of organizations responding was also reflected in the 10 percent designated as “Other.” Figure 2 shows that the survey pool leans toward respondents from large enterprises. Organizations with 1,500 or more employees accounted for a little less than half of the responses. As the chart shows, the percentages of respondents from the various categories remained very close to this question's breakdown in 2006 and 2007. That breakdown clearly favors larger organizations, at least compared to the U.S. economy as a whole, where there is a preponderance of small businesses. 5 2008 CSI Computer Crime and Security Survey Figure 3 shows the composition of the responding commercial enterprises by the annual revenue they generated. Again the skew toward larger organizations is evident. The survey also categorized respondents by job title. Figure 4 illustrates that 32 percent (slightly up from last year’s 29 percent) of the respondents were senior executives with the titles of chief executive officer (CEO) (7 percent), chief information officer (CIO) (10 percent), chief security officer (CSO) (3 percent) or chief information security officer (CISO) (12 percent). The single largest category of specific respondents (25 percent) had the job title of security officer, while an additional 8 percent of respondents had the title of system administrator, while 34 percent had 6 2008 CSI Computer Crime and Security Survey various other titles. Last year's questionnaire turned up only one respondent who ticked the checkbox for chief privacy officer, but this year two turned up.
Load more

Recommended publications
  • TO: Charles F. Bolden, Jr. Administrator December 17,2012 FROM: Paul K. Martin (79- Inspector General SUBJECT: NASA's Efforts To
    National Aeronautics and Space Administration Office of Inspector General N~~, J. Washington, DC 20546-0001 December 17,2012 TO: Charles F. Bolden, Jr. Administrator FROM: Paul K. Martin (79- Inspector General SUBJECT: NASA's Efforts to Encrypt its Laptop Computers On October 31, 2012, a NASA-issued laptop was stolen from the vehicle ofa NASA Headquarters employee. The laptop contained hundreds of files and e-mails with the Social Security numbers and other forms of personally identifiable information (PH) for more than 10,000 current and former NASA employees and contractors. Although the laptop was password protected, neither the laptop itself nor the individual files were encrypted. l As a result of this loss, NASA contracted with a company to provide credit monitoring services to the affected individuals. NASA estimates that these services will cost between $500,000 and $700,000. This was not the first time NASA experienced a significant loss of PH or other sensitive but unclassified (SBU) data as a result of the theft of an unencrypted Agency laptop. For example, in March 2012 a bag containing a government-issued laptop, NASA access badge, and a token used to enable remote-access to a NASA network was stolen from a car parked in the driveway of a Kennedy Space Center employee. A review by information technology (IT) security officials revealed that the stolen computer contained the names, Social Security numbers, and other PH information for 2,400 NASA civil servants, as well as two files containing sensitive information related to a NASA program. As a result of the theft, NASA incurred credit monitoring expenses of approximately $200,000.
    [Show full text]
  • Safeguarding Businesses from Mobile Data Breaches Combating the Threat of Laptop Theft and Loss
    Safeguarding Businesses from Mobile Data Breaches Combating the Threat of Laptop Theft and Loss A Zenith Security Solutions White Paper Executive Summary The time is long past when the only threat to a company’s sensitive and proprietary data came from hackers targeting its W eb site. Today, with business professionals turning to laptop computers as their most powerful information management tool, the rates of laptop theft and loss have risen dramatically. Laptops and the huge amounts of data they can store have become high-value targets for thieves. Each missing laptop magnifies the probability that valuable data will fall into the wrong hands. Companies ignore this risk at their peril. A data breach from a missing laptop can expose a A data breach from a missing laptop company to a variety of catastrophic scenarios —causing can expose a company to a variety of potentially irreparable damage to an organization’s reputation, its brand, its market share and its earnings. catastrophic scenarios. Hardly a week goes by without some news report about the impact of a data leak from a missing laptop. Businesses that haven’t experienced such a traumatic event should consider themselves fortunate, but it’s only a matter of time before they join the ranks of the victims Fortunately, there are concrete steps that companies can take to minimize the risk of such a breach. In fact, there are so many technologies available for laptop security that the choices can seem overwhelming. This white paper is intended to simplify the task of selecting an appropriate technology, in order to help decision makers meet the ongoing mobile data security challenge.
    [Show full text]
  • Cloaking Malware with the Trusted Platform Module
    Cloaking Malware with the Trusted Platform Module Alan M. Dunn Owen S. Hofmann Brent Waters Emmett Witchel The University of Texas at Austin {adunn,osh,bwaters,witchel}@cs.utexas.edu Abstract in Microsoft’s popular BitLocker drive encryption soft- The Trusted Platform Module (TPM) is commonly ware [7] and the United States Department of Defense has thought of as hardware that can increase platform secu- required the TPM as a solution for securing data on lap- rity. However, it can also be used for malicious pur- tops [4]. TPMs are regularly included on desktop, laptop, poses. The TPM, along with other hardware, can imple- and server-class computers from a number of manufac- ment a cloaked computation, whose memory state cannot turers. The wide dissemination of TPM functionality is be observed by any other software, including the operat- potentially a boon for computer security, but this paper ing system and hypervisor. We show that malware can examines the potential of the TPM for malware authors (a use cloaked computations to hide essential secrets (like first to our knowledge). the target of an attack) from a malware analyst. A malware writer can use the TPM for implementing We describe and implement a protocol that establishes cloaked computations which, combined with a protocol an encryption key under control of the TPM that can only described in this paper, impede malware analysis. The be used by a specific infection program. An infected host TPM is used with “late launch” processor mechanisms then proves the legitimacy of this key to a remote mal- (Intel’s Trusted Execution Technology [12, 8], abbrevi- ware distribution platform, and receives and executes an ated TXT, and AMD’s Secure Startup mechanism [10]) encrypted payload in a way that prevents software visibil- that ensure uninterrupted execution of secure binaries.
    [Show full text]
  • Lost Laptops = Lost Data Measuring Costs, Managing Threats by Glenn Kitteringham, CPP ABOUT the CRISP SERIES of REPORTS
    ASIS FOUNDATION CRISP REPORT Connecting Research in Security to Practice Lost Laptops = Lost Data Measuring Costs, Managing Threats by Glenn Kitteringham, CPP ABOUT THE CRISP SERIES OF REPORTS Connecting Research in Security to Practice (CRISP) reports provide insights into how different types of security issues can be tackled effectively. Drawing on research and evidence from around the world, each report summarizes the prevailing knowledge about a specific aspect of security, and then recommends proven approaches to counter the threat. Connecting scientific research with existing security actions helps form good practices. This series invites experts in specialist aspects of security to present their views on how to understand and tackle a security problem, using the best research evidence available. Reports are written to appeal to security practitioners in different types of organizations and at different levels. Readers will inevitably adapt what is presented to meet their own requirements. They will also consider how they can integrate the recommended actions with existing or planned programs in their organizations. In this CRISP report, Glen Kitteringham, CPP, analyzes strategies to protect laptops—and data—at the office, on the road, or at home. Practical checklists and classification schemes help the reader determine adequate levels of data protection. Replacing stolen units is just the start: lost productivity, damaged credibility, frayed customer relations, and heavy legal consequences can cripple both public and private sector organizations. CRISP reports are sister publications to those produced by Community Oriented Policing Services (COPS) of the U.S. Department of Justice, which can be accessed at www.cops.usdoj.gov. While that series focused on policing, this one focuses on security.
    [Show full text]
  • Laptop Data Breaches: Mitigating Risks Through Encryption and Liability Insurance by Julie Machal-Fulks and Robert J
    Laptop Data Breaches: Mitigating Risks Through Encryption and Liability Insurance By Julie Machal-Fulks and Robert J. Scott Laptop Data Breaches: Mitigating Risks Through Encryption And Liability Insurance By Julie Machal-Fulks and Robert J. Scott I. Introduction II. Laptops Lost in 2006 Since February 2005, the identities of approximately 93 million people have been exposed because of data Hundreds of thousands of individuals received leaks.1 Ponemon Institute conducted a recent survey of notification this year that their personal information was almost 500 corporate information technology departments compromised when criminals stole laptops or other portable regarding the security risks associated with portable devices containing sensitive information. This section will devices, such as laptops, personal data assistants (PDAs) describe the facts from some of the prominent cases this and USB memory sticks. Ponemon reported that 81 percent year. Many of these cases are recent, and it is unclear what of respondents have experienced a lost or stolen laptop litigation, if any, will result from the data breaches. or portable storage device.2 General Electric These losses of information can be very costly. In early September, a General Electric official left a laptop According to a report published by Symantec, the average computer in a locked hotel room. The laptop contained laptop contains data worth approximately $972,000.3 The the Social Security numbers of 50,000 current and former Federal Bureau of Investigation Computer Crime Survey employees. The official was authorized to have the data estimated that the average annual cost of computer on the laptop. Thieves stole the laptop from the Official’s security incidents is $67.2 billion.4 locked hotel room.
    [Show full text]
  • Media Kit Absolute Software Corporate Backgrounder
    Media Kit Absolute Software Corporate Backgrounder Snapshot of Success Overview A sample list of Absolute’s reference Absolute Software Corporation is a world leader in the security and management of mobile computers. customers: Our patented fi rmware-base software enables computer theft recovery, data protection and secure IT management delivered on a subscription basis. • Allina Hospitals & Clinics • Charlotte ISD Solutions • Daviess County Public Schools Absolute Software’s solutions help combat the security risks associated with mobile computing assets • Dysart Unifi ed School District and the asset management challenges they pose. • First United Bank • Grant Thornton Computrace Complete Computrace® Complete™ is a comprehensive solution for organizations that combines secure IT asset • General Services Administration (GSA) management, remote data delete, computer theft recovery and a Service Guarantee. Computrace • International Truck & Engine Complete allows IT administrators to centrally manage corporate asset activities such as monitoring • LifeCare Solutions, Inc. computer movement, call history, asset leasing information and software license compliance. It gives • McKinney Police Department staff the visibility to see up to 100% of their connected computer assets, including those off the • MDx Medical corporate network. • Mesquite ISD Computrace Plus • School District of Philadelphia Computrace® Plus™ is an ideal computer theft recovery solution. If a machine is stolen, The Absolute Theft • Storage Networking Industry Recovery Team will work with local law enforcement agencies to locate and recover the machine. Association (SNIA) • St. Andrew’s College Computrace Data Protection Computrace® Data Protection™ offers customers who are concerned with protecting sensitive information • St. Francis University and the mobile computers that contain it, but do not need the services of the Theft Recovery Team.
    [Show full text]
  • Safeguarding Critical Enterprise Assets and Data Symantec PGP® Whole Disk Encryption and PGP® Remote Disable & Destroy with Intel® Anti-Theft Technology
    White Paper Enterprise Security January 2011 Smart Security. Intelligent Mobile Platforms. Safeguarding Critical Enterprise Assets and Data Symantec PGP® Whole Disk Encryption and PGP® Remote Disable & Destroy with Intel® Anti-Theft Technology Each year, an estimated two million laptops are stolen, and 97 percent risks to the enterprise are further compounded by the loss of intellectual of those are never recovered.1 In addition, one in 10 people have lost a property, damage to the company’s brand image, loss of public and investor laptop, smartphone, or USB drive that contains corporate information.2 confidence, costs to notify clients, and lost revenue. In almost every case, these stolen hardware assets contain sensitive, If the data on a laptop is not protected and a breach occurs, the enterprise valuable data that is proprietary or confidential. These statistics represent can suffer costly notification and reporting expenses and be at risk a serious financial risk to the enterprise in lost physical assets (hardware) for litigation given the worldwide variety of privacy and data security and electronic assets (data and intellectual property). Enterprises need a regulations. In the United States, these include Sarbanes-Oxley (SOX), the reliable way to deter laptop theft, and if theft does occur, disable access to Fair and Accurate Credit Transactions Act (FACTA), and the Health Insurance or destroy the previously encrypted stolen data even though the hardware is Portability and Accountability Act (HIPAA). The European Union has its own out of reach. set of data security regulations. The Real Cost of Unprotected Assets Being able to remotely disable and destroy previously encrypted corporate 3 The average cost of a lost laptop is USD 49,246.
    [Show full text]